blustealer | dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177

General

Target

fatura64390089,pdf.exe
Size

407KB
MD5

c05d621f037ac3934058043187adec75
SHA1

be6482abbdf88b6462293f4058f00c9b5d8de995
SHA256

dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
SHA512

8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
SSDEEP

12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn

Score

10^/10

blustealer stormkitty collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3964-142-0x0000000000AE0000-0x0000000000AFA000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

Processes:

ffdkbznenn.exeffdkbznenn.exe

pid process

4736 ffdkbznenn.exe
2160 ffdkbznenn.exe

pid	process
4736	ffdkbznenn.exe
2160	ffdkbznenn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ffdkbznenn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aupp = "C:\\Users\\Admin\\AppData\\Roaming\\xvfemejxi\\rqxm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffdkbznenn.exe\" C:\\Users\\Admin\\AppData\\Local\\"	ffdkbznenn.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 icanhazip.com

flow	ioc
19	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

ffdkbznenn.exeffdkbznenn.exe

description	pid	process	target process
PID 4736 set thread context of 2160	4736	ffdkbznenn.exe	ffdkbznenn.exe
PID 2160 set thread context of 3964	2160	ffdkbznenn.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ffdkbznenn.exe

pid process

2160 ffdkbznenn.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ffdkbznenn.exe

pid process

4736 ffdkbznenn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3964 AppLaunch.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ffdkbznenn.exe

pid process

2160 ffdkbznenn.exe

pid	process
2160	ffdkbznenn.exe

pid	process
4736	ffdkbznenn.exe

description	pid	process
Token: SeDebugPrivilege	3964	AppLaunch.exe

pid	process
2160	ffdkbznenn.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fatura64390089,pdf.exeffdkbznenn.exeffdkbznenn.exe

description	pid	process	target process
PID 1712 wrote to memory of 4736	1712	fatura64390089,pdf.exe	ffdkbznenn.exe
PID 1712 wrote to memory of 4736	1712	fatura64390089,pdf.exe	ffdkbznenn.exe
PID 1712 wrote to memory of 4736	1712	fatura64390089,pdf.exe	ffdkbznenn.exe
PID 4736 wrote to memory of 2160	4736	ffdkbznenn.exe	ffdkbznenn.exe
PID 4736 wrote to memory of 2160	4736	ffdkbznenn.exe	ffdkbznenn.exe
PID 4736 wrote to memory of 2160	4736	ffdkbznenn.exe	ffdkbznenn.exe
PID 4736 wrote to memory of 2160	4736	ffdkbznenn.exe	ffdkbznenn.exe
PID 2160 wrote to memory of 3964	2160	ffdkbznenn.exe	AppLaunch.exe
PID 2160 wrote to memory of 3964	2160	ffdkbznenn.exe	AppLaunch.exe
PID 2160 wrote to memory of 3964	2160	ffdkbznenn.exe	AppLaunch.exe
PID 2160 wrote to memory of 3964	2160	ffdkbznenn.exe	AppLaunch.exe
PID 2160 wrote to memory of 3964	2160	ffdkbznenn.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
"C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe" C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcv
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
"C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe
Filesize
53KB

MD5
292f15361b1c917862f22d5f86e83e2e

SHA1
e12efc100d01f52e3dc53d2172602e2e86a5671b

SHA256
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490

SHA512
a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcv
Filesize
7KB

MD5
57dc842d381d9d79fbc3ec8f3ebde260

SHA1
bc816ee4cb338e9486a2446d0f40d34ac7f017c4

SHA256
570080568f2d6becd79e7e76fb7499ee4924ad2b103b9cb037195cfbbaf52fed

SHA512
15ad3cc80f79825d00617d5fe1214a6cc8513d0d7a4714e5f7ba3c6a70960759b446d1d2ff456d1cedc779f93586d406123db3a77e782d3d199aa8d6b27ffe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\oabtivtl.s
Filesize
164KB

MD5
0ad27cb8fc43f58b4e8cef4931c5a5fd

SHA1
4a8f8c0e7070ffd8614174e1c6b19087ab2e5764

SHA256
bb858577716f072849106950e08834c35efd87de9e7d9b00e0082810e31ec202

SHA512
4338db180c0385206ab8b7b0e5473fdecc6a7599fc22b338c105adb73b2e72d328d89d2fbaf874d22135dd8ca98b4b1759e3a2d3cba312e0b7bdcf8e4f06698b

Download Submit
memory/2160-137-0x0000000000000000-mapping.dmp

Download
memory/2160-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2160-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3964-141-0x0000000000000000-mapping.dmp

Download
memory/3964-142-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

Filesize
104KB

Download
memory/3964-143-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3964-145-0x0000000005D50000-0x0000000005DEC000-memory.dmp

Filesize
624KB

Download
memory/4736-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads